oversight

Information Security: Further Efforts Needed to Fully Implement Statutory Requirements in DOD

Published by the Government Accountability Office on 2003-07-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                             United States General Accounting Office

GAO                          Testimony
                             Before the Subcommittee on Terrorism,
                             Unconventional Threats and Capabilities,
                             Committee on Armed Services, House of
                             Representatives
For Release on Delivery
Expected at 10:00 a.m. EDT
Thursday, July 24, 2003      INFORMATION SECURITY
                             Further Efforts Needed to
                             Fully Implement Statutory
                             Requirements in DOD
                             Statement of Robert F. Dacey
                             Director, Information Security Issues




GAO-03-1037T
                                              July 24, 2003


                                              INFORMATION SECURITY

                                              Further Efforts Needed to Fully
Highlights of GAO-03-1037T, a testimony       Implement Statutory Requirements in
before the Subcommittee on Terrorism,
Unconventional Threats and Capabilities,      DOD
Committee on Armed Services, House of
Representatives




The Department of Defense (DOD)               In its fiscal year 2002 report on efforts to implement information security
faces many risks in its use of                requirements under Government Information Security Reform law, DOD
globally networked computer                   reported that it has an aggressive information assurance program and
systems to perform operational                highlighted several initiatives to improve it. These initiatives included
missions------such as identifying and         developing an overall strategy and issuing numerous departmentwide
tracking enemy targets------and daily
management functions------such as             information security policy documents. DOD’s reporting highlighted other
paying soldiers and managing                  accomplishments, but acknowledged that a number of challenges remain
supplies. Weaknesses in these                 for the department in implementing both its policies and procedures and
systems, if present, could give               statutory information security requirements.
hackers and other unauthorized
users the opportunity to modify,              DOD reported several material control weaknesses, which included needing
steal, inappropriately disclose, and          to decrease the time necessary for correcting reported weaknesses and
destroy sensitive military data.              ensuring that computer security policies are enforced and security
                                              capabilities are tested regularly. Further, performance data DOD reported
GAO was asked, among other                    for a sample of its systems showed that further efforts are needed to fully
things, to discuss DOD’s efforts to           implement key information security requirements, such as testing systems’
protect its information systems and           security controls, throughout the department (see figure).
networks from cyber attack,
focusing on its reported progress in          Although DOD has undertaken its Defense-wide Information Assurance
implementing statutory information            Program to promote integrated, comprehensive, and consistent practices
security requirements.                        across the department and has recently issued both policy guidance and
                                              implementation instructions, it does not have mechanisms in place for
                                              comprehensively measuring compliance with federal and Defense
                                              information security policies and ensuring that those policies are
                                              consistently practiced throughout DOD.

                                              Reported Results for Selected DOD Information Security Performance Measures




www.gao.gov/cgi-bin/getrpt?GAO-03-1037T.

To view the full product, click on the link
above.
For more information, contact Robert F.
Dacey at (202) 512-3317 or daceyr@gao.gov.
Mr. Chairman and Members of the Subcommittee:

I am pleased to be here today to discuss the status of efforts by the
Department of Defense (DOD) to protect its information systems and
networks from cyber attack. DOD’s military services and agencies face
many risks in their use of globally networked computer systems to
perform operational missions, such as identifying and tracking enemy
targets, and daily management functions, such as paying soldiers and
managing supplies. Weaknesses in these systems, if present, could give
hackers and other unauthorized users the opportunity to modify, steal,
inappropriately disclose, and destroy sensitive military data.

Since 1996,1 we have reported that poor information security in federal
agencies is a widespread problem with potentially devastating
consequences. Further, we have identified information security as a
governmentwide high-risk issue in reports to the Congress since 1997—
most recently in January 2003.2 Concerned that significant weaknesses in
federal computer systems make them vulnerable to attack, in October
2000 the Congress passed and the President signed into law Government
Information Security Reform provisions (commonly known as GISRA)3 to
establish information security program, evaluation, and reporting
requirements for federal agencies—requirements that are now
permanently authorized and strengthened through the recently enacted
Federal Information Security Management Act of 2002 (FISMA).4

In my testimony today, I will first provide an overview of the increasing
nature of cyber security threats and vulnerabilities and of the continuing
pervasive weaknesses across the federal government that led GAO to
initially begin reporting information security as a high-risk issue. I will



1
U.S. General Accounting Office, Information Security: Opportunities for Improved OMB
Oversight of Agency Practices, GAO/AIMD-96-110 (Washington, D.C.: Sept. 24, 1996).
2
 U.S. General Accounting Office, High Risk Series: Protecting Information Systems
Supporting the Federal Government and the Nation’s Critical Infrastructures, GAO-03-121
(Washington, D.C.: January 2003).
3
Title X, Subtitle G—Government Information Security Reform, Floyd D. Spence
National Defense Authorization Act for Fiscal Year 2001, P.L.106-398, October 30, 2000.
4
 Title III—Federal Information Security Management Act of 2002, E-Government Act of
2002, P.L. 107-347, December 17, 2002. This act superseded an earlier version of FISMA
that was enacted as Title X of the Homeland Security Act of 2002.




Page 1                                                                    GAO-03-1037T
                   then discuss the status of DOD’s efforts to ensure the security of its
                   information systems and to implement the statutory information security
                   requirements, focusing on the performance data that DOD reported to the
                   Office of Management and Budget (OMB). Finally, I will discuss some of
                   the challenges for the department in establishing an effective information
                   security management program.

                   In preparing this testimony, we relied on prior reports and testimony on
                   information security both governmentwide and for DOD. We also analyzed
                   reports prepared by the DOD chief information officer and the DOD
                   inspector general (IG) for fiscal year 2002 GISRA reporting, as well as
                   recent DOD policy and guidance documents related to information
                   security. Further, we analyzed OMB’s May 2003 report to the Congress on
                   fiscal year 2002 GISRA implementation.5 We did not validate the accuracy
                   of the data reported by DOD or OMB. We performed our work in July
                   2003, in accordance with generally accepted government auditing
                   standards.


                   Protecting the computer systems that support our nation’s critical
Results in Brief   operations and infrastructures has never been more important.
                   Telecommunications, power distribution, water supply, public health
                   services, national defense (including the military’s warfighting capability),
                   law enforcement, government services, and emergency services all depend
                   on the security of their computer operations. Yet with this dependency
                   comes an increasing concern about attacks from individuals and groups
                   with malicious intent, such as crime, terrorism, foreign intelligence
                   gathering, and acts of war. Such concerns are well founded for a number
                   of reasons, including the dramatic increases in reported computer security
                   incidents, the ease of obtaining and using hacking tools, the steady
                   advance in the sophistication and effectiveness of attack technology, and
                   the dire warnings of new and more destructive attacks.

                   Although there have been some individual agency improvements, our most
                   recent analyses of audit and evaluation reports for the 24 major
                   departments and agencies continued to highlight significant information
                   security weaknesses that place a broad array of federal operations and



                   5
                    Office of Management and Budget, FY 2002 Report to Congress on Federal Government
                   Information Security Reform, May 16, 2003.




                   Page 2                                                                GAO-03-1037T
assets at risk of fraud, misuse, and disruption. For example, resources,
such as federal payments and collections, could be lost or stolen; sensitive
information, such as taxpayer data, social security records, medical
records, and proprietary business information, could be inappropriately
disclosed, browsed, or copied for purposes of espionage or other types of
crime; and critical operations, such as those supporting national defense
and emergency services, could be disrupted.

In its fiscal year 2002 GISRA report, DOD reported that the department has
an aggressive information assurance (IA) posture and highlighted several
initiatives to improve its IA program.6 These initiatives included
developing an overall strategy that identifies goals and objectives for the
program and issuing numerous information security policy directives,
instructions, manuals, and policy memorandums. Further, DOD’s GISRA
reporting highlighted other accomplishments, such as evaluating security
controls for a sample of its networks. However, this reporting also showed
that a number of challenges remain for the department in implementing
both its policies and procedures and statutory information security
requirements, as indicated by the material weaknesses it reported related
to its IA capabilities, and its performance data that showed further efforts
are needed to implement key requirements. For example, specific
deficiencies related to DOD’s material weaknesses included the need to
decrease the time necessary for correcting reported weaknesses and to
ensure that computer security policies are enforced and security
capabilities are tested regularly. Also, performance data reported by DOD
for a sample of its systems showed that further effort is needed by the
department to report on all its systems and to fully implement key
information security requirements, such as testing systems’ information
security controls and their contingency plans.

Our past work has shown that an important challenge agencies face in
implementing an effective information security management program is
ensuring that they have the appropriate management structures and
processes in place to strategically manage information security, as well as
to ensure the reliability of performance information. For example,
disciplined processes can routinely provide the agency with timely, useful
information for day-to-day management of information security. DOD has



6
IA refers to the range of information security activities and functions needed to protect
DOD’s information and systems.




Page 3                                                                       GAO-03-1037T
             undertaken its Defense-wide Information Assurance Program (DIAP) to
             promote integrated, comprehensive, and consistent IA practices across the
             department and has recently issued both policy guidance and
             implementation instructions. However, as indicated by the Defense audit
             community’s assessment of the DOD’s fiscal year 2001 GISRA data, DOD
             does not have mechanisms in place for comprehensively measuring
             compliance with federal and Defense information security policies and
             ensuring that those policies are consistently practiced throughout the
             department.


             Dramatic increases in computer interconnectivity, especially in the use of
Background   the Internet, continue to revolutionize the way our government, our
             nation, and much of the world communicate and conduct business. The
             benefits have been enormous. Vast amounts of information are now
             literally at our fingertips, facilitating research on virtually every topic
             imaginable; financial and other business transactions can be executed
             almost instantaneously, often 24 hours a day; and electronic mail, Internet
             Web sites, and computer bulletin boards allow us to communicate quickly
             and easily with a virtually unlimited number of individuals and groups.

             However, in addition to such benefits, this widespread interconnectivity
             poses significant risks to the government’s and our nation’s computer
             systems and, more important, to the critical operations and infrastructures
             they support. For example, telecommunications, power distribution, water
             supply, public health services, national defense (including the military’s
             warfighting capability), law enforcement, government services, and
             emergency services all depend on the security of their computer
             operations. The speed and accessibility that create the enormous benefits
             of the computer age on the other hand, if not properly controlled, allow
             individuals and organizations to inexpensively eavesdrop on or interfere
             with these operations from remote locations for mischievous or malicious
             purposes, including fraud or sabotage. Table 1 summarizes the key threats
             to our nation’s infrastructures, as observed by the Federal Bureau of
             Investigation (FBI).




             Page 4                                                         GAO-03-1037T
Table 1: Threats to Critical Infrastructure Observed by the FBI

    Threat                                     Description
    Criminal groups                            There is an increased use of cyber intrusions by criminal
                                               groups who attack systems for purposes of monetary
                                               gain.
    Foreign intelligence services              Foreign intelligence services use cyber tools as part of
                                               their information gathering and espionage activities.
    Hackers                                    Hackers sometimes crack into networks for the thrill of the
                                               challenge or for bragging rights in the hacker community.
                                               While remote cracking once required a fair amount of skill
                                               or computer knowledge, hackers can now download
                                               attack scripts and protocols from the Internet and launch
                                               them against victim sites. Thus, while attack tools have
                                               become more sophisticated, they have also become
                                               easier to use.
    Hacktivists                                Hacktivism refers to politically motivated attacks on
                                               publicly accessible Web pages or E-mail servers. These
                                               groups and individuals overload E-mail servers and hack
                                               into Web sites to send a political message.
    Information warfare                        Several nations are aggressively working to develop
                                               information warfare doctrine, programs, and capabilities.
                                               Such capabilities enable a single entity to have a
                                               significant and serious impact by disrupting the supply,
                                               communications, and economic infrastructures that
                                               support military power—impacts that, according to the
                                               Director of Central Intelligence,a can affect the daily lives
                                               of Americans across the country.
    Insider threat                             The disgruntled organization insider is a principal source
                                               of computer crimes. Insiders may not need a great deal of
                                               knowledge about computer intrusions because their
                                               knowledge of a victim system often allows them to gain
                                               unrestricted access to cause damage to the system or to
                                               steal system data. The insider threat also includes
                                               outsourcing vendors.
    Virus writers                              Virus writers are posing an increasingly serious threat.
                                               Several destructive computer viruses and “worms” have
                                               harmed files and hard drives, including the Melissa Macro
                                               Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus,
                                               Nimda, and Code Red.
Source: Federal Bureau of Investigation unless otherwise indicated
a
Prepared Statement of George J. Tenet, Director of Central Intelligence, before the Senate Select
Committee on Intelligence, February 2, 2000.


Government officials remain concerned about attacks from individuals
and groups with malicious intent, such as crime, terrorism, foreign
intelligence gathering, and acts of war. According to the FBI, terrorists,
transnational criminals, and intelligence services are quickly becoming


Page 5                                                                                       GAO-03-1037T
aware of and using information exploitation tools such as computer
viruses, Trojan horses, worms, logic bombs, and eavesdropping sniffers
that can destroy, intercept, degrade the integrity of, or deny access to
data.7 In addition, the disgruntled organization insider is a significant
threat, since these individuals often have knowledge that allows them to
gain unrestricted access and inflict damage or steal assets without
possessing a great deal of knowledge about computer intrusions. As
greater amounts of money are transferred through computer systems, as
more sensitive economic and commercial information is exchanged
electronically, and as the nation’s defense and intelligence communities
increasingly rely on commercially available information technology (IT),
the likelihood increases that information attacks will threaten vital
national interests.

As the number of individuals with computer skills has increased, more
intrusion or “hacking” tools have become readily available and relatively
easy to use. A hacker can literally download tools from the Internet and
“point and click” to start an attack. Experts also agree that there has been
a steady advance in the sophistication and effectiveness of attack
technology. Intruders quickly develop attacks to exploit vulnerabilities
discovered in products, use these attacks to compromise computers, and
share them with other attackers. In addition, they can combine these
attacks with other forms of technology to develop programs that
automatically scan the network for vulnerable systems, attack them,
compromise them, and use them to spread the attack even further.




7
 Virus: a program that “infects” computer files, usually executable programs, by inserting a
copy of itself into the file. These copies are usually executed when the “infected” file is
loaded into memory, allowing the virus to infect other files. Unlike the computer worm, a
virus requires human involvement (usually unwitting) to propagate. Trojan horse: a
computer program that conceals harmful code. A Trojan horse usually masquerades as a
useful program that a user would wish to execute. Worm: an independent computer
program that reproduces by copying itself from one system to another across a network.
Unlike computer viruses, worms do not require human involvement to propagate. Logic
bomb: in programming, a form of sabotage in which a programmer inserts code that causes
the program to perform a destructive action when some triggering event occurs, such as
terminating the programmer’s employment. Sniffer: synonymous with packet sniffer. A
program that intercepts routed data and examines each packet in search of specified
information, such as passwords transmitted in clear text.




Page 6                                                                      GAO-03-1037T
Along with these increasing threats, the number of computer security
incidents reported to the CERT® Coordination Center8 has also risen
dramatically from 9,859 in 1999 to 82,094 in 2002 and 76,404 for just the
first half of 2003. And these are only the reported attacks. The Director of
CERT Centers stated that he estimates that as much as 80 percent of
actual security incidents goes unreported, in most cases because (1) the
organization was unable to recognize that its systems had been penetrated
or there were no indications of penetration or attack or (2) the
organization was reluctant to report. Figure 1 shows the number of
incidents reported to the CERT Coordination Center from 1995 through
the first half of 2003.

Figure 1: Information Security Incidents Reported to Carnegie-Mellon’s CERT
Coordination Center from 1995 through the First Half of 2003




According to the National Security Agency, foreign governments already
have or are developing computer attack capabilities, and potential
adversaries are developing a body of knowledge about U.S. systems and



8
 The CERT® Coordination Center (CERT® CC) is a center of Internet security expertise at
the Software Engineering Institute, a federally funded research and development center
operated by Carnegie Mellon University.




Page 7                                                                  GAO-03-1037T
methods to attack these systems. Since the terrorist attacks of September
11, 2001, warnings of the potential for terrorist cyber attacks against our
critical infrastructures have also increased. For example, in February 2002,
the threat to these infrastructures was highlighted by the Special Advisor
to the President for Cyberspace Security in a Senate briefing when he
stated that although to date none of the traditional terrorists groups, such
as al Qaeda, have used the Internet to launch a known assault on the
United States’ infrastructure, information on water systems was
discovered on computers found in al Qaeda camps in Afghanistan.9 Also, in
his February 2002 statement for the Senate Select Committee on
Intelligence, the director of central intelligence discussed the possibility of
cyber warfare attack by terrorists.10 He stated that the September 11
attacks demonstrated the nation’s dependence on critical infrastructure
systems that rely on electronic and computer networks. Further, he noted
that attacks of this nature would become an increasingly viable option for
terrorists as they and other foreign adversaries become more familiar with
these targets and the technologies required to attack them.

Since September 11, 2001, the critical link between cyberspace and
physical space has been increasingly recognized. In his November 2002
congressional testimony, the Director of the CERT Centers at Carnegie-
Mellon University noted that supervisory control and data acquisition
(SCADA) systems and other forms of networked computer systems have
been used for years to control power grids, gas and oil distribution
pipelines, water treatment and distribution systems, hydroelectric and
flood control dams, oil and chemical refineries, and other physical
systems, and that these control systems are increasingly being connected
to communications links and networks to reduce operational costs by
supporting remote maintenance, remote control, and remote update
functions.11 These computer-controlled and network-connected systems


9
 “Administrative Oversight: Are We Ready for A CyberTerror Attack?” Testimony before the
Senate Committee on the Judiciary, Subcommittee on Administrative Oversight and the
Courts, by Richard A. Clarke, Special Advisor to the President for Cyberspace Security and
Chairman of the President’s Critical Infrastructure Protection Board (Feb. 13, 2002).
10
 Testimony of George J. Tenet, Director of Central Intelligence, before the Senate Select
Committee on Intelligence, Feb. 6, 2002.
11
 Testimony of Richard D. Pethia, Director, CERT Centers, Software Engineering Institute,
Carnegie Mellon University, before the House Committee on Government Reform,
Subcommittee on Government Efficiency, Financial Management and Intergovernmental
Relations, November 19, 2002.




Page 8                                                                      GAO-03-1037T
    are potential targets for individuals bent on causing massive disruption
    and physical damage, and the use of commercial, off-the-shelf
    technologies for these systems without adequate security enhancements
    can significantly limit available approaches to protection and may increase
    the number of potential attackers.

    The risks posed by this increasing and evolving threat are demonstrated in
    reports of actual and potential attacks and disruptions. For example:

•   On February 11, 2003, the National Infrastructure Protection Center
    (NIPC) issued an advisory to heighten the awareness of an increase in
    global hacking activities as a result of the increasing tensions between the
    United States and Iraq.12 This advisory noted that during a time of
    increased international tension, illegal cyber activity often escalates, such
    as spamming, Web page defacements, and denial-of-service attacks.
    Further, this activity can originate within another country that is party to
    the tension, can be state sponsored or encouraged, or can come from
    domestic organizations or individuals independently. The advisory also
    stated that attacks may have one of several objectives, including political
    activism targeting Iraq or those sympathetic to Iraq by self-described
    “patriot” hackers, political activism or disruptive attacks targeting U.S.
    systems by those opposed to any potential conflict with Iraq, or even
    criminal activity masquerading or using the current crisis to further
    personal goals.

•   According to a preliminary study coordinated by the Cooperative
    Association for Internet Data Analysis (CAIDA), on January 25, 2003, the
    SQL Slammer worm (also known as “Sapphire”) infected more than 90
    percent of vulnerable computers worldwide within 10 minutes of its
    release on the Internet, making it the fastest computer worm in history. As
    the study reports, exploiting a known vulnerability for which a patch has
    been available since July 2002, Slammer doubled in size every 8.5 seconds
    and achieved its full scanning rate (55 million scans per second) after
    about 3 minutes. It caused considerable harm through network outages
    and such unforeseen consequences as canceled airline flights and
    automated teller machine (ATM) failures. Further, the study emphasizes
    that the effects would likely have been more severe had Slammer carried a



    12
     National Infrastructure Protection Center, National Infrastructure Protection Center
    Encourages Heightened Cyber Security as Iraq—U.S. Tensions Increase, Advisory 03-
    002 (Washington, D.C.: Feb. 11, 2003).




    Page 9                                                                   GAO-03-1037T
    malicious payload, attacked a more widespread vulnerability, or targeted a
    more popular service.

•   In November 2002, news reports indicated that a British computer
    administrator was indicted on charges that he broke into 92 U.S. computer
    networks in 14 states; these networks belonged to the Pentagon, private
    companies, and the National Aeronautics and Space Administration during
    the past year, causing some $900,000 in damage to computers. According
    to a Justice Department official, these attacks were one of the biggest
    hacks ever against the U.S. military. This official also said that the attacker
    used his home computer and automated software available on the Internet
    to scan tens of thousands of computers on U.S. military networks looking
    for ones that might suffer from flaws in Microsoft Corporation’s Windows
    NT operating system software.

•   On October 21, 2002, NIPC reported that all the 13 root-name servers that
    provide the primary roadmap for almost all Internet communications were
    targeted in a massive “distributed denial of service” attack. Seven of the
    servers failed to respond to legitimate network traffic, and two others
    failed intermittently during the attack. Because of safeguards, most
    Internet users experienced no slowdowns or outages.

•   In July 2002, NIPC reported that the potential for compound cyber and
    physical attacks, referred to as “swarming attacks,” is an emerging threat
    to the U.S. critical infrastructure.13 As NIPC reports, the effects of a
    swarming attack include slowing or complicating the response to a
    physical attack. For example, cyber attacks can be used to delay the
    notification of emergency services and to deny the resources needed to
    manage the consequences of a physical attack. In addition, a swarming
    attack could be used to worsen the effects of a physical attack. For
    instance, a cyber attack on a natural gas distribution pipeline that opens
    safety valves and releases fuels or gas in the area of a planned physical
    attack could enhance the force of the physical attack. Consistent with this
    threat, NIPC also released an information bulletin in April 2002 warning
    against possible physical attacks on U.S. financial institutions by
    unspecified terrorists.14



    13
     National Infrastructure Protection Center, Swarming Attacks: Infrastructure Attacks for
    Destruction and Disruption (Washington, D.C.: July 2002).
    14
     National Infrastructure Protection Center, Possible Terrorism Targeting of US Financial
    System–Information Bulletin 02-003 (Washington, D.C.: Apr. 19, 2002).




    Page 10                                                                  GAO-03-1037T
                        •   In August 2001, we reported to a subcommittee of the House Government
                            Reform Committee that the attacks referred to as Code Red, Code Red II,
                            and SirCam had affected millions of computer users, shut down Web sites,
                            slowed Internet service, and disrupted business and government
                            operations.15 Then in September 2001, the Nimda worm appeared using
                            some of the most significant attack profile aspects of Code Red II and
                            1999’s infamous Melissa virus that allowed it to spread widely in a short
                            amount of time. Security experts estimate that Code Red, Sircam, and
                            Nimda have caused billions of dollars in damage.


                            To better understand the risks facing DOD systems, it is useful to consider
Significant                 the overall status of information security for the federal government. Our
Weaknesses Persist in       analyses of information security at major federal agencies have shown that
                            federal systems were not being adequately protected from computer-based
Federal Information         threats, even though these systems process, store, and transmit enormous
Security                    amounts of sensitive data and are indispensable to many federal agency
                            operations. For the past several years, we have analyzed audit results for
                            24 of the largest federal agencies and found that all 24 had significant
                            information security weaknesses.16

                            As reported in November 2002, our latest analyses of reports issued from
                            October 2001 through October 2002, continued to show significant
                            weaknesses in federal computer systems that put critical operations and
                            assets at risk.17 Weaknesses continued to be reported in each of the 24
                            agencies included in our review,18 and they covered all six major areas of



                            15
                             U.S. General Accounting Office, Information Security: Code Red, Code Red II, and
                            SirCam Attacks Highlight Need for Proactive Measures, GAO-01-1073T (Washington, D.C.:
                            Aug. 29, 2001).
                            16
                             U.S. General Accounting Office, Information Security: Serious Weaknesses Place
                            Critical Federal Operations and Assets at Risk, GAO/AIMD-98-92 (Washington, D.C.: Sept.
                            23, 1998); Information Security: Serious and Widespread Weaknesses Persist at Federal
                            Agencies, GAO/AIMD-00-295 (Washington, D.C.: Sept. 6, 2000); Computer Security:
                            Improvements Needed to Reduce Risk to Critical Federal Operations and Assets,
                            GAO-02-231T (Washington, D.C.: Nov. 9, 2001); and Computer Security: Progress Made,
                            but Critical Federal Operations and Assets Remain at Risk, GAO-03-303T (Washington,
                            D.C.: Nov. 19, 2002).
                            17
                             GAO-03-303T.
                            18
                             Does not include the Department of Homeland Security that was created by the
                            Homeland Security Act in November 2002.




                            Page 11                                                                 GAO-03-1037T
general controls—the policies, procedures, and technical controls that
apply to all or a large segment of an entity’s information systems and help
ensure their proper operation. These six areas are (1) security program
management, which provides the framework for ensuring that risks are
understood and that effective controls are selected and properly
implemented; (2) access controls, which ensure that only authorized
individuals can read, alter, or delete data; (3) software development and
change controls, which ensure that only authorized software programs are
implemented; (4) segregation of duties, which reduces the risk that one
individual can independently perform inappropriate actions without
detection; (5) operating systems controls, which protect sensitive
programs that support multiple applications from tampering and misuse;
and (6) service continuity, which ensures that computer-dependent
operations experience no significant disruptions. Figure 2 illustrates the
distribution of weaknesses for the six general control areas across the 24
agencies.




Page 12                                                       GAO-03-1037T
Figure 2: Computer Security Weaknesses at 24 Major Federal Agencies




Although our analyses showed that most agencies had significant
weaknesses in these six control areas, as in past years’ analyses,
weaknesses were most often identified for security program management
and access controls.

For security program management, we identified weaknesses for all 24
agencies in 2002—the same as reported for 2001, and compared to 21 of
the 24 agencies (88 percent) in 2000. Security program management, which
is fundamental to the appropriate selection and effectiveness of the other
categories of controls, covers a range of activities related to understanding
information security risks; selecting and implementing controls
commensurate with risk; and ensuring that controls, once implemented,
continue to operate effectively.


Page 13                                                          GAO-03-1037T
For access controls, we found weaknesses for 22 of 24 agencies (92
percent) in 2002 (no significant weaknesses were found for one agency,
and access controls were not reviewed for another). This compares to
access control weaknesses found in all 24 agencies for both 2000 and 2001.
Weak access controls for sensitive data and systems make it possible for
an individual or group to inappropriately modify, destroy, or disclose
sensitive data or computer programs for purposes such as personal gain or
sabotage. In today’s increasingly interconnected computing environment,
poor access controls can expose an agency’s information and operations
to attacks from remote locations all over the world by individuals with
only minimal computer and telecommunications resources and expertise.

Our analyses also showed service-continuity-related weaknesses at 20 of
the 24 agencies (83 percent) with no significant weaknesses found for 3
agencies (service continuity controls were not reviewed for another). This
compares to 19 agencies with service continuity weaknesses found in 2001
and 20 agencies found in 2000. Service continuity controls are important in
that they help ensure that when unexpected events occur, critical
operations will continue without undue interruption and that crucial,
sensitive data are protected. If service continuity controls are inadequate,
an agency can lose the capability to process, retrieve, and protect
electronically maintained information, which can significantly affect an
agency’s ability to accomplish its mission. Further, such controls are
particularly important in the wake of the terrorist attacks of September 11,
2001.

These analyses of information security at federal agencies also showed
that the scope of audit work performed has continued to expand to more
fully cover all six major areas of general controls at each agency. Not
surprisingly, this has led to the identification of additional areas of
weakness at some agencies. These increases in reported weaknesses do
not necessarily mean that information security at federal agencies is
getting worse. They more likely indicate that information security
weaknesses are becoming more fully understood—an important step
toward addressing the overall problem. Nevertheless, the results leave no
doubt that serious, pervasive weaknesses persist. As auditors increase
their proficiency and the body of audit evidence expands, it is probable
that additional significant deficiencies will be identified.

Most of the audits represented in figure 2 were performed as part of
financial statement audits. At some agencies with primarily financial
missions, such as the Department of the Treasury and the Social Security
Administration, these audits covered the bulk of mission-related

Page 14                                                        GAO-03-1037T
    operations. However, at agencies whose missions are primarily
    nonfinancial, such as DOD and the Department of Justice, the audits may
    provide a less complete picture of the agency’s overall security posture
    because the audit objectives focused on the financial statements and did
    not include evaluations of individual systems supporting nonfinancial
    operations. However, in response to congressional interest, beginning in
    fiscal year 1999, we expanded our audit focus to cover a wider range of
    nonfinancial operations—a trend we expect to continue. Audit coverage
    for nonfinancial systems has also increased as agencies and their IGs
    reviewed and evaluated their information security programs as required by
    GISRA.

    To fully understand the significance of the weaknesses we identified, it is
    necessary to link them to the risks they present to federal operations and
    assets. Virtually all federal operations are supported by automated systems
    and electronic data, and agencies would find it difficult, if not impossible,
    to carry out their missions and account for their resources without these
    information assets. Hence, the degree of risk caused by security
    weaknesses is extremely high.

    The weaknesses identified place a broad array of federal operations and
    assets at risk. For example,

•   resources, such as federal payments and collections, could be lost or
    stolen;

•   computer resources could be used for unauthorized purposes or to launch
    attacks on others;

•   sensitive information, such as taxpayer data, social security records,
    medical records, and proprietary business information, could be
    inappropriately disclosed, browsed, or copied for purposes of espionage
    or other types of crime;

•   critical operations, such as those supporting national defense and
    emergency services, could be disrupted;

•   data could be modified or destroyed for purposes of fraud or disruption;
    and

•   agency missions could be undermined by embarrassing incidents that
    result in diminished confidence in their ability to conduct operations and
    fulfill their fiduciary responsibilities.


    Page 15                                                        GAO-03-1037T
                       Concerned with accounts of attacks on commercial systems via the
Congress               Internet and reports of significant weaknesses in federal computer
Consolidates and       systems that make them vulnerable to attack, on October 30, 2000,
                       Congress enacted GISRA, which was signed into law and became effective
Strengthens Federal    November 29, 2000, for a period of 2 years. GISRA supplemented
Information Security   information security requirements established in the Computer Security
                       Act of 1987, the Paperwork Reduction Act of 1995, and the Clinger-Cohen
Requirements           Act of 1996 and was consistent with existing information security guidance
                       issued by OMB19 and the National Institute of Standards and Technology
                       (NIST),20 as well as audit and best practice guidance issued by GAO.21

                       Most importantly, however, GISRA consolidated these separate
                       requirements and guidance into an overall framework for managing
                       information security and established new annual review, independent
                       evaluation, and reporting requirements to help ensure agency
                       implementation and both OMB and congressional oversight. GISRA
                       assigned specific responsibilities to OMB, agency heads and CIOs, and IGs.
                       OMB was responsible for establishing and overseeing policies, standards,
                       and guidelines for information security. This included the authority to
                       approve agency information security programs, but delegated OMB’s
                       responsibilities regarding national security systems to national security
                       agencies. OMB was also required to submit an annual report to the
                       Congress summarizing results of agencies’ independent evaluations of
                       their information security programs. OMB released its fiscal year 2001
                       report in February 2002 and its fiscal year 2002 report in May 2003.

                       GISRA required each agency, including national security agencies, to
                       establish an agencywide risk-based information security program to be
                       overseen by the agency CIO and ensure that information security is



                       19
                        Primarily OMB Circular A-130, Appendix III, “Security of Federal Automated Information
                       Resources,” February 1996.
                       20
                         Numerous publications made available at http://www.itl.nist.gov/ including National
                       Institute of Standards and Technology, Generally Accepted Principles and Practices for
                       Securing Information Technology Systems, NIST Special Publication 800-14, September
                       1996.
                       21
                        U.S. General Accounting Office, Federal Information System Controls Manual, Volume
                       1—Financial Statement Audits, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999);
                       Information Security Management: Learning from Leading Organizations,
                       GAO/AIMD-98-68 (Washington, D.C.: May 1998).




                       Page 16                                                                  GAO-03-1037T
    practiced throughout the life cycle of each agency system. Specifically,
    this program was to include

•   periodic risk assessments that consider internal and external threats to the
    integrity, confidentiality, and availability of systems, and to data
    supporting critical operations and assets;

•   the development and implementation of risk-based, cost-effective policies
    and procedures to provide security protections for information collected
    or maintained by or for the agency;

•   training on security responsibilities for information security personnel and
    on security awareness for agency personnel;

•   periodic management testing and evaluation of the effectiveness of
    policies, procedures, controls, and techniques;

•   a process for identifying and remediating any significant deficiencies;

•   procedures for detecting, reporting, and responding to security incidents;
    and

•   an annual program review by agency program officials.

    In addition to the responsibilities listed above, GISRA required each
    agency to have an annual independent evaluation of its information
    security program and practices, including control testing and compliance
    assessment. The evaluations of non-national-security systems were to be
    performed by the agency IG or an independent evaluator, and the results
    of these evaluations were to be reported to OMB. For the evaluation of
    national security systems, special provisions included having national
    security agencies designate evaluators, restricting the reporting of
    evaluation results, and having the IG or an independent evaluator perform
    an audit of the independent evaluation. For national security systems, only
    the results of each audit of an evaluation are to be reported to OMB.

    With GISRA expiring on November 29, 2002, on December 17, 2002, FISMA
    was enacted as title III of the E-Government Act of 2002 to permanently
    authorize and strengthen the information security program, evaluation,
    and reporting requirements established by GISRA. Among other things,
    FISMA also requires NIST to develop, for systems other than national
    security systems, (1) standards to be used by all agencies to categorize all
    their information and information systems based on the objectives of


    Page 17                                                        GAO-03-1037T
                         providing appropriate levels of information security according to a range
                         of risk levels; (2) guidelines recommending the types of information and
                         information systems to be included in each category; and (3) minimum
                         information security requirements for information and information
                         systems in each category. In addition, FISMA requires each agency to
                         develop, maintain, and annually update an inventory of major information
                         systems (including major national security systems) operated by the
                         agency or under its control. This inventory is also to include an
                         identification of the interfaces between each system and all other systems
                         or networks, including those not operated by or under the control of the
                         agency.


                         DOD has undertaken several initiatives to improve its information
DOD Highlights           security, including the development of an overall IA strategy and the
Initiatives, But Also    issuance of information security policy and guidance.22 However,
                         information that DOD’s CIO and IG submitted for fiscal year 2002 GISRA
Reports Weaknesses       reporting showed that a number of challenges remain for the department
                         in implementing both its policies and procedures and the statutory
                         information security requirements. These challenges are indicated by the
                         material weaknesses DOD reported related to its IA capabilities and its
                         performance data, which showed that further efforts are needed to
                         implement key requirements.


DOD Efforts to Improve   Overall, the DOD CIO reported in its fiscal year 2002 GISRA report that the
Information Security     department has an aggressive IA posture and highlighted several initiatives
                         to improve its IA program. In particular, DOD has developed an overall IA
                         strategic plan to define the department’s goals and objectives and to
                         provide a consistent departmentwide approach to information assurance.
                         Further, according to a DOD official, DOD is aligning its strategic
                         initiatives to objectives in this plan and is developing milestones and
                         performance measures to gauge success.

                         Specific plan goals include:




                         22
                          IA refers to the range of information security activities and functions needed to protect
                         DOD’s information and systems.




                         Page 18                                                                      GAO-03-1037T
•   protecting information to ensure that all information has a level of trust
    commensurate with mission needs;

•   defending systems and networks to ensure that no access is uncontrolled
    and that all systems and networks are capable of self-defense; and

•   creating an IA-empowered workforce that is trained, highly skilled,
    knowledgeable, and aware of its role in assuring information.

    The plan also identified specific objectives for each goal. For example, to
    meet the goal of protecting information to ensure that all information has a
    level of trust commensurate with mission needs, DOD identified objectives
    including defining data protection requirements, applying protection
    mechanisms across the enterprise, and developing robust mechanisms
    that protect information. In addition, DOD has developed a
    complementary implementation mechanism for IA known as Defense in
    Depth that uses a multilayered approach with defense mechanisms on
    successive layers at multiple locations.

    Other initiatives highlighted in the DOD CIO’s fiscal year 2002 GISRA
    report included establishing a number of senior-level bodies that discuss,
    brief, and shape the future of IA efforts—such as the CIO Executive Board
    and the Military Communications-Electronics Board—and issuing
    information security policy directives, instructions, manuals, and policy
    memorandums.

    During fiscal year 2003, DOD has continued its efforts to implement IA
    departmentwide by issuing additional policy and guidance. Specifically, in
    October 2002, it issued DOD Directive 8500.1 to establish policy and assign
    responsibility for IA management.23 Further, in February 2003, DOD issued
    DOD Instruction 8500.2, which prescribes a framework for implementing
    the department’s IA program and establishes baseline levels of assurance
    for information systems.24




    23
     Department of Defense Directive Number 8500.1, Information Assurance (IA) (Oct. 24,
    2002)
    24
     Department of Defense Instruction Number 8500.2, Information Assurance (IA)
    Implementation (Feb. 6, 2003).




    Page 19                                                                 GAO-03-1037T
Material Weaknesses             DOD reported eight material weaknesses in fiscal year 2002 for which it
Identified By DOD               said it is undertaking aggressive action to improve and expand its IA
                                capabilities. The actions DOD identified to address the eight deficiencies
                                are:

                            •   completing the implementation of the Information Assurance Vulnerability
                                Alert process to all services and agencies;

                            •   ensuring that effective computer security policies and procedures are
                                distributed in a timely manner;

                            •   improving DOD business processes to ensure that all systems are
                                protected;

                            •   decreasing the time necessary for correction of reported weaknesses;

                            •   ensuring that computer security policies are enforced and security
                                capabilities are tested regularly;

                            •   ensuring that training is conducted for all network personnel (this
                                includes awareness training for all personnel to specific network defense
                                training for system and network administrators);

                            •   increasing access security through the use of electronic tokens; and

                            •   increasing security through certificates (for authentication and
                                nonrepudiation).


DOD Reports Show                OMB’s fiscal year 2002 reporting instructions included new high-level
Further Efforts Needed to       management performance measures that the agencies and IGs were
Implement Key                   required to use to report on agency officials’ performance, such as the
                                number and percentage of systems that have been assessed for risk and
Information Security            that have an up-to-date security plan. In addition, OMB’s reporting
Requirements                    instructions for fiscal year 2002 stated that agencies were expected to
                                review all systems annually.25 OMB explained that GISRA requires senior



                                25
                                  Office of Management and Budget, “Reporting Instructions for the Government
                                Information Security Reform Act and Updated Guidance on Security Plans of Action and
                                Milestones,” Memorandum for Heads of Executive Departments and Agencies, Mitchell E.
                                Daniels, Jr., M-02-09, July 2, 2002.




                                Page 20                                                                GAO-03-1037T
agency program officials to review each security program for effectiveness
at least annually, and that the purpose of the security programs discussed
in GISRA is to ensure the protection of the systems and data covered by
the program. Thus, a review of each system is essential to determine the
program’s effectiveness, and only the depth and breadth of such system
reviews are flexible.

DOD reported data for most performance measures as required. However,
as agreed with OMB, DOD reported these data for only a sample of its
systems and networks rather than for all systems. As a result, DOD cannot
ensure that these performance measures accurately reflect the information
security status of its thousands of systems or that potential weaknesses
for all systems have been identified for correction. Further, reporting on
only a sample of systems limited the usefulness of OMB’s analysis of the
governmentwide status of IT security reported in its fiscal year 2002 report
to the Congress, which considered data for only DOD’s sample of systems
in measuring the overall progress by 24 large agencies.

DOD indicated in its report that because of its size and complexity, the
collection of specific metrics required sizable lead time to allow for the
collection and approval process by each military service and agency. For
this reason, DOD focused its fiscal year 2002 GISRA efforts on (1) a
sample of 366 of its networks (241 unclassified and 125 classified) and
(2) a sample of 155 systems that were selected from the sample of systems
used for DOD’s fiscal year 2001 GISRA review. Although DOD reported
performance measure data for both the sample of networks and the
sample of systems, OMB’s provided comparative results in its report to
Congress primarily for the sample of 155 systems. However, as discussed
later in this statement, DOD did report that 96 percent of its sample of
networks was certified and accredited.

OMB’s fiscal year 2002 GISRA report to the Congress summarized both
agency and overall results for certain key measures for 24 large federal
agencies. Subject to the limitation of DOD’s data, figure 3 summarizes
DOD results for six of these measures for the 155 systems and shows that
most of these measures actually decreased from fiscal year 2001 to fiscal
year 2002. DOD attributed the decreases to inaccuracies in the fiscal year
2001 data. Discussion of these and other measures follow figure 3 and
include a comparison of DOD results to results for other agencies as




Page 21                                                        GAO-03-1037T
                            presented in our recent testimonies before a subcommittee of the House
                            Government Reform Committee.26

                            Figure 3: Reported Results for Selected DOD Information Security Performance
                            Measures




Systems Assessed for Risk   Agencies are required to perform periodic threat-based risk assessments
                            for systems and data. Risk assessments are an essential element of risk
                            management and overall security program management and, as our best


                            26
                             U.S. General Accounting Office, Information Security: Progress Made, But Challenges
                            Remain to Protect Federal Systems and the Nation’s Critical Infrastructures, GAO-03-
                            564T (Washington, D.C.: Apr. 8, 2003), and Information Security: Continued Efforts
                            Needed to Fully Implement Statutory Requirements, GAO-03-852T (Washington, D.C.: Jun.
                            24, 2003).




                            Page 22                                                               GAO-03-1037T
                          practice work has shown, are an integral part of the management
                          processes of leading organizations.27 Risk assessments help ensure that the
                          greatest risks have been identified and addressed, increase the
                          understanding of risk, and provide support for needed controls. Our
                          reviews of federal agencies, however, frequently show deficiencies related
                          to assessing risk, such as security plans for major systems that are not
                          developed on the basis of risk. As a result, the agencies had accepted an
                          unknown level of risk by default rather than consciously deciding what
                          level of risk was tolerable.

                          OMB’s performance measure for this requirement mandated that agencies
                          report the number and percentage of their systems that have been
                          assessed for risk during fiscal year 2001 and fiscal year 2002. DOD
                          reported that for its sample of 155 systems, 68 percent (106) had risk
                          assessments for fiscal year 2002 as compared to 81 percent (125) for fiscal
                          year 2001—a decrease of 13 percentage points. In comparison, our overall
                          analyses of reporting for this measure for all 24 agencies (including DOD)
                          showed that for fiscal year 2002, 11 agencies reported that they had
                          assessed risk for 90 to 100 percent of their systems, and of the remaining
                          13, 8 reported less than 50 percent.

Systems With Up-to-Date   An agency head is required to ensure that the agency’s information
Security Plans            security plans are practiced throughout the life cycle of each agency
                          system. In its reporting instructions, OMB required agencies to report
                          whether the agency head had taken specific and direct actions to oversee
                          that program officials and the CIO are ensuring that security plans are up
                          to date and practiced throughout the life cycle of each system. Agencies
                          also had to report the number and percentage of systems that had an up-
                          to-date security plan.

                          Regarding the status of agencies’ security plans, DOD reported that for its
                          sample of 155 systems, 66 percent (103) had up-to-date security plans for
                          fiscal year 2002—a decrease from the 84 percent (130) reported for fiscal
                          year 2001. In comparison, our overall analysis for all 24 agencies showed
                          that for fiscal year 2002, 7 agencies reported that they up-to-date security
                          plans for 90 to 100 percent of their systems, and of the remaining 17
                          agencies, 9 reported up-to-date security plans for less than 50 percent of
                          their systems.


                          27
                           GAO/AIMD-98-68.




                          Page 23                                                         GAO-03-1037T
Systems Certified and   As one of its performance measures for agency program official
Accredited              responsibilities, OMB required agencies to report the number and
                        percentage of systems that have been authorized for processing following
                        certification and accreditation. Certification is the comprehensive
                        evaluation of the technical and nontechnical security controls of an IT
                        system to support the accreditation process that establishes the extent to
                        which a particular design and implementation meets a set of specified
                        security requirements. Certification provides the necessary information to
                        a management official to formally declare that an IT system is approved to
                        operate at an acceptable level of risk. Accreditation is the authorization of
                        an IT system to process, store, or transmit information, granted by a
                        management official that provides a form of quality control and challenges
                        managers and technical staff to find the best fit for security, given
                        technical constraints, operational constraints, and mission requirements.
                        The accreditation decision is based on the implementation of an agreed
                        upon set of management, operational, and technical controls, and by
                        accrediting the system, the management office accepts the risk associated
                        with it.

                        DOD has established a standard departmentwide process, set of activities,
                        general tasks, and a management structure to certify and accredit
                        information systems and maintain the IA and security posture throughout
                        the life cycle of the system. A companion manual, the DOD Information
                        Technology Security Certification and Accreditation Process (DITSCAP)
                        Application Manual, provides implementation guidance to standardize the
                        certification and accreditation process throughout DOD.28 The DOD CIO
                        reported that the department is implementing the DITSCAP process, but
                        realizes the actual process is complex, lengthy, and costly; and several
                        internal agencies are exploring efforts to streamline DITSCAP.

                        DOD reported that for fiscal year 2002, 55 percent (85) of its sample of 155
                        systems was authorized for processing following certification and
                        accreditation—a decrease from the 61 percent (95) reported for fiscal year
                        2001. For this particular measure, DOD also reported that in fiscal year
                        2002, 96 percent (352) of its 366-network sample was certified and
                        accredited to operate. In comparison, our overall analysis for all 24
                        agencies showed that for fiscal year 2002, only 3 agencies reported that 90



                        28
                         Department of Defense, DOD Information Technology Security Certification and
                        Accreditation Process (DITSCAP) Application Manual, DOD 8510.1-M (July 31, 2000).




                        Page 24                                                               GAO-03-1037T
                               to 100 percent of their systems were authorized for processing following
                               certification and accreditation, and of the remaining 21 agencies, 13
                               reported that less than 50 percent of their systems were authorized,
                               including 3 that reported that none were authorized.

                               According to the DOD IG’s fiscal year 2002 GISRA report, the certification
                               and accreditation data reported by the department for fiscal year 2001
                               included systems that were certified and accredited either under the
                               DITSCAP or another process. In addition, in analyzing a sample of the
                               systems used for the department’s fiscal year 2001 GISRA reporting, the IG
                               found the certification and accreditation status for some systems was
                               incorrectly reported.

Security Control Testing and   An agency head is responsible for ensuring that the appropriate agency
Evaluation                     officials evaluate the effectiveness of the information security program,
                               including testing controls. Further, the agencywide information security
                               program is to include periodic management testing and evaluation of the
                               effectiveness of information security policies and procedures. Periodically
                               evaluating the effectiveness of security policies and controls and acting to
                               address any identified weaknesses are fundamental activities that allow an
                               organization to manage its information security risks cost-effectively,
                               rather than reacting to individual problems ad hoc only after a violation
                               has been detected or an audit finding has been reported. Further,
                               management control testing and evaluation as part of the program reviews
                               can supplement control testing and evaluation in IG and our audits to help
                               provide a more complete picture of the agencies’ security postures.

                               As a performance measure for this requirement, OMB required agencies to
                               report the number and percentage of systems for which security controls
                               have been tested and evaluated during fiscal years 2001 and 2002. DOD
                               reported that for fiscal year 2002, it had tested and evaluated controls for
                               only 28 percent (43) of the 155-system sample—a slight increase from the
                               23 percent (35) reported for fiscal year 2001. In comparison, our overall
                               analysis for all 24 agencies showed that for fiscal year 2002, only 4
                               agencies reported they had tested and evaluated controls for 90 to 100
                               percent of their systems, and of the remaining 20 agencies, 10 reported
                               less than 50 percent.

System Contingency Plans       Contingency plans provide specific instructions for restoring critical
                               systems, including such items as arrangements for alternative processing
                               facilities, in case the usual facilities are significantly damaged or cannot be
                               accessed. These plans and procedures help to ensure that critical
                               operations can continue when unexpected events occur, such as

                               Page 25                                                          GAO-03-1037T
                                 temporary power failure, accidental loss of files, or major disaster.
                                 Contingency plans should also identify which operations and supporting
                                 resources are critical and need to be restored first and should be tested to
                                 identify their weaknesses. Without such plans, agencies have inadequate
                                 assurance that they can recover operational capability in a timely, orderly
                                 manner after a disruptive attack.

                                 As another of its performance measures, OMB required agencies to report
                                 the number and percentage of systems for which contingency plans had
                                 been prepared and had been tested in the past year. DOD reported that of
                                 its 155-system sample, 66 percent (103) of its systems had contingency
                                 plans for fiscal year 2002—a decrease from the 85 percent (131) reported
                                 for fiscal year 2001. However, more significantly, DOD also reported that
                                 for fiscal year 2002, only 21 percent (32) of its sample of systems had
                                 contingency plans that had been tested within the past year. In
                                 comparison, our overall analysis for all 24 agencies showed that for fiscal
                                 year 2002, only 2 agencies reported they had tested contingency plans for
                                 90 to 100 percent of their systems, and of the remaining 22 agencies, 20
                                 reported less than 50 percent, including 1 that reported none had been
                                 tested.

Incident-Handling Capabilities   Agencies are required to implement procedures for detecting, reporting,
                                 and responding to security incidents. Although even strong controls may
                                 not block all intrusions and misuse, organizations can reduce the risks
                                 associated with such events if they promptly take steps to detect
                                 intrusions and misuse before significant damage can be done. In addition,
                                 accounting for and analyzing security problems and incidents are effective
                                 ways for an organization to gain a better understanding of threats to its
                                 information and of the cost of its security-related problems. Such analyses
                                 can also pinpoint vulnerabilities that need to be addressed to help ensure
                                 that they will not be exploited again. In this regard, problem and incident
                                 reports can provide valuable input for risk assessments, help in prioritizing
                                 security improvement efforts, and be used to illustrate risks and related
                                 trends in reports to senior management.

                                 In March 2001, we reported that over the past several years, DOD had
                                 established incident response capabilities for the military services and
                                 enhanced computer defensive capabilities across the department.29


                                 29
                                  U.S. General Accounting Office, Information Security, Challenges to Improving DOD’s
                                 Incident Response Capabilities, GAO-01-341 (Washington, D.C.: Mar. 29, 2001).




                                 Page 26                                                                GAO-03-1037T
However, we also identified six areas in which DOD faced challenges in
improving its incident response capabilities, including (1) coordinating
resource planning and priorities for incident response across the
department; (2) integrating critical data from systems, sensors, and other
devices to better monitor cyber events and attacks; (3) establishing a
departmentwide process to periodically and systematically review systems
and networks on a priority basis for security weaknesses; (4) ensuring that
components across the department consistently and fully report
compliance with vulnerability alerts; (5) improving the coordination and
suitability of component-level incident response actions; and (6)
developing departmentwide performance measures to assess incident
response capabilities and thus better ensure mission readiness. Although
DOD was aware of these challenges and had undertaken some initiatives
to address them, the initiatives were not complete at the time of our
review. We recommended that DOD act to address these challenges to
better protect its systems and networks from cyber threats and attacks.
Currently, DOD reports that it has made progress in addressing many of
these challenges.

For fiscal year 2002 GISRA reporting, OMB required agencies to report
several performance measures related to detecting, reporting, and
responding to security incidents. These included the number of agency
components with an incident-handling and response capability, whether
the agency and its major components share incident information with the
Federal Computer Incident Response Center (FedCIRC)30 in a timely
manner, and the numbers of incidents reported. OMB also required that
agencies report on how they confirmed that patches have been tested and
installed in a timely manner.

In its fiscal year 2002 GISRA report, the DOD CIO reported that essentially
all its components have an incident handling and response capability and
that DOD has made significant progress in developing its computer
network defense capabilities, including the January 2001 issuance of DOD
Directive O-8530.1, “Computer Network Defense,” which established
computer network defense policy, definition, and department
responsibilities. The CIO also reported that through its computer network



30
  FedCIRC, formerly within the General Services Administration and now part of the
Department of Homeland Security, was established to provide a central focal point for
incident reporting, handling, prevention and recognition for the federal government.




Page 27                                                                   GAO-03-1037T
                            defense capabilities, DOD could monitor, analyze, detect, and respond to
                            unauthorized activity within DOD information systems and computer
                            networks. In addition, the CIO reported that each of the major military
                            services has a robust computer emergency response team (CERT) and
                            integrated network operations centers. Further, the report states that the
                            DOD CERT works closely with FedCIRC on all incidents within the .gov
                            Internet domain and, along with other service and agency CERTs, shares
                            incident information with FedCIRC within 10 minutes to 48 hours
                            depending on the seriousness of the incident. The Joint Task Force for
                            Computer Network Operations and the DOD CERT take responsibility for
                            incidents within the .mil Internet domain.

                            In comparison to DOD, our analyses of agencies’ fiscal year 2002 GISRA
                            reports showed that most agencies reported that they have established
                            incident-response capabilities. For example, 12 agencies reported that for
                            fiscal year 2002, 90 percent or more of their components had incident
                            handling and response capabilities, and 8 others reported that they
                            provided these capabilities to components through a central point within
                            the agency.

Security Training for       Agencies are required to provide training on security awareness for agency
Employees and Contractors   personnel and on security responsibilities for information security
                            personnel. Our studies of best practices at leading organizations have
                            shown that such organizations took steps to ensure that personnel
                            involved in various aspects of their information security programs had the
                            skills and knowledge they needed. They also recognized that staff
                            expertise had to be frequently updated to keep abreast of ongoing changes
                            in threats, vulnerabilities, software, security techniques, and security
                            monitoring tools.

                            Among the performance measures for these requirements, OMB mandated
                            that agencies report the number and percentage of employees—including
                            contractors—who received security training during fiscal years 2001 and
                            2002, and the number of employees with significant security
                            responsibilities who received specialized training. In response to these
                            measures, the DOD CIO reported that it provides departmentwide,
                            component-level security training and periodic updates for all employees,
                            but that actual numbers and the percentage of agency employees who
                            received security training in fiscal year 2002 were not available at the time
                            of its report. For employees with significant security responsibilities, the
                            CIO reported that specialized security and technical training is provided to
                            persons empowered to audit, alter, or affect the intended behavior or
                            content of an IT system, such as system/network administrators and

                            Page 28                                                         GAO-03-1037T
                          information systems security officers. Additional training is also provided
                          for others, such as CERT members, computer crime investigators, and
                          Web masters/site managers. However, performance measure data reported
                          for employees with significant security responsibilities showed that of
                          39,783 such employees, 42 percent (16,812) received specialized training in
                          fiscal year 2002—a decrease of 9 percentage points from the 51 percent
                          reported for fiscal year 2001.

                          In comparison with other major federal agencies, for specialized training
                          for employees with significant security responsibilities, our analyses
                          showed that 12 agencies reported 50 percent or more of their employees
                          with significant security responsibilities had received specialized training
                          for fiscal year 2002, with 5 of these reporting 90 percent or more. Of the
                          remaining 12 agencies, 9 including DOD reported that less than half of
                          such employees received specialized training, 1 reported that none had
                          received such training, and 2 did not provide sufficient data for this
                          measure.

Security of Contractor-   Agencies are required to develop and implement risk-based, cost-effective
Provided Services         policies and procedures to provide security protection for information
                          collected or maintained by or for the agency. In its fiscal year 2001 GISRA
                          report to the Congress, OMB identified poor security for contractor-
                          provided services as a common weakness, and for fiscal year 2002
                          reporting, included performance measures to help indicate whether the
                          agency program officials and CIO used appropriate methods, such as
                          audits and inspections, to ensure that service provided by a contractor are
                          adequately secure and meet security requirements.

                          For fiscal year 2002 GISRA, the DOD CIO reported that there was
                          insufficient time and resources to accurately collect requested
                          performance measure data. The CIO also reported that execution and
                          verification of contractor services and facilities are managed at the
                          subagency levels, and that agency program officials use audits or
                          inspections to ensure that contractor-provided services are adequately
                          secure and meet statutory information security requirements, OMB policy,
                          and NIST guidance. The DOD IG did not review the status of contractor-
                          provided services for compliance with GISRA, but did identify several
                          reports issued from August 2001 to July 2002 by military service audit
                          agencies that discussed weaknesses in background investigations.
                          Screening of contractor or subcontractor employees as a condition for
                          physical or computer systems access is a recommended safeguard, and
                          depending on the program or system criticality or information sensitivity,
                          can range from minimal checks to complete background investigations.

                          Page 29                                                         GAO-03-1037T
                            As previously discussed, our past analyses of audit results for 24 of the
Challenges to               largest federal agencies showed that all 24 had significant weaknesses in
Implementing an             security program management, which covers a range of activities related
                            to understanding information security risks; selecting and implementing
Effective Information       controls commensurate with risk; and ensuring that controls, once
Security Management         implemented, continue to operate effectively.31 Establishing a strong
                            security management program requires that agencies take a
Program                     comprehensive approach that involves both (1) senior agency program
                            managers who understand which aspects of their missions are the most
                            critical and sensitive and (2) technical experts who know the agencies’
                            systems and can suggest appropriate technical security control techniques.
                            We studied the practices of organizations with superior security programs
                            and summarized our findings in a May 1998 executive guide entitled
                            Information Security Management: Learning From Leading Organizations.32
                            Our study found that these organizations managed their information
                            security risks through a cycle of risk management activities. These
                            activities, which are now among the federal government’s statutory
                            information security requirements, included

                        •   assessing risks and determining protection needs, selecting and
                            implementing cost-effective policies and controls to meet those needs,

                        •   promoting awareness of policies and controls and of the risks that
                            prompted their adoption among those responsible for complying with
                            them, and

                        •   implementing a program of routine tests and examinations for evaluating
                            the effectiveness of policies and related controls and reporting the
                            resulting conclusions to those who can take appropriate corrective action.

                            Although GISRA reporting provided performance information on these
                            areas, it is important for agencies to ensure that they have the appropriate
                            management structures and processes in place to strategically manage
                            information security, as well as ensure the reliability of performance
                            information. For example, disciplined processes can routinely provide the
                            agency with timely, useful information for day-to-day management of
                            information security. Also, developing management strategies that identify


                            31
                             GAO-02-231T and GAO-03-303T.
                            32
                             GAO/AIMD-98-68.




                            Page 30                                                        GAO-03-1037T
specific actions, time frames, and required resources may help to
significantly improve performance.

In January 1998, DOD announced its plans for DIAP—a program intended
to promote integrated, comprehensive, and consistent IA practices across
the department. In February 1999, the department issued an approved
implementation plan, which described, at a high level, the program’s goals,
objectives, and organizational structure, and confirmed its responsibility
for the planning, coordination, integration, and oversight of Defense-wide
computer security initiatives.

In March 2001, we reported that DIAP had made progress in addressing IA,
but that the department had not yet met its goals for promoting integrated,
comprehensive, and consistent practices across DOD.33 The program’s
progress was limited by weaknesses in its management framework and
unmet staffing expectations. DOD had not established a performance-
based management framework for IA improvement at the department
level. As a result, DOD was unable to accurately determine the status of IA
across the department, the progress of its improvement efforts, or the
effectiveness of its initiatives. Also, understaffing kept the program from
fulfilling its central role in planning, monitoring, coordinating, and
integrating Defense-wide IA activities, and changes in the composition and
authority of other key organizations interacting with DIAP left it without a
consistent and fully supportive environment for its operations. We
concluded that achieving this program’s vision for information superiority
would require the commitment of DOD to proven IA management
practices. To improve progress toward the department’s goals, we made
recommendations to the Secretary of Defense in the areas of component
commitments to DIAP and executive-level monitoring of the program. We
also recommended that the DOD CIO institute performance-based
management of DIAP through a defined budget and performance
objectives, and that the program manager take steps to address the
program’s unmet goals.

DOD has made some progress in addressing our previous
recommendations and, as discussed previously, during fiscal year 2003,



33
 U.S. General Accounting Office, Information Security: Progress and Challenges to an
Effective Defense-wide Information Assurance Program, GAO-01-307 (Washington, D.C.:
Mar. 30, 2001).




Page 31                                                                GAO-03-1037T
           DOD issued guidance to establish policy and assign responsibility for IA
           management and to prescribe a framework for implementing the
           department’s IA program and establish baseline levels of assurance for
           information systems. Despite such steps, OMB reported in its fiscal year
           2002 report to the Congress that the overall results of the Defense audit
           community’s assessment of the DOD fiscal year 2001 GISRA reporting
           reinforced the position that DOD does not have mechanisms in place for
           comprehensively measuring compliance with federal and Defense
           information security policies and ensuring that those policies are
           consistently practiced throughout the department.

           In summary, DOD has taken positive steps through its policy and guidance
           to establish information security as a priority for the department.
           However, as its fiscal year 2002 GISRA reporting showed, further effort is
           needed to fully implement statutory information security requirements
           departmentwide and to expand future FISMA reporting to all systems.
           Significant improvement will likely require DOD to establish
           departmentwide processes that routinely provide information for day-to-
           day management of information security and to develop management
           strategies that identify specific actions, time frames, and required
           resources. With the first agency reporting under FISMA due in September
           2003, updated information on the status of DOD’s efforts will be available
           for continued congressional oversight.

           Mr. Chairman, this concludes my written testimony. I would be pleased to
           answer any questions that you or other members of the Subcommittee
           may have at this time. If you should have any questions about this
           testimony, please contact me at (202) 512-3317. I can also be reached by E-
           mail at daceyr@gao.gov.




(310505)
           Page 32                                                       GAO-03-1037T
This is a work of the U.S. government and is not subject to copyright protection in the
United States. It may be reproduced and distributed in its entirety without further
permission from GAO. However, because this work may contain copyrighted images or
other material, permission from the copyright holder may be necessary if you wish to
reproduce this material separately.
                         The General Accounting Office, the audit, evaluation and investigative arm of
GAO’s Mission            Congress, exists to support Congress in meeting its constitutional
                         responsibilities and to help improve the performance and accountability of the
                         federal government for the American people. GAO examines the use of public
                         funds; evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good
                         government is reflected in its core values of accountability, integrity, and
                         reliability.


                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.

                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web
                         site daily. The list contains links to the full-text document files. To have GAO e-
                         mail this list to you every afternoon, go to www.gao.gov and select “Subscribe to
                         e-mail alerts” under the “Order GAO Products” heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A
                         check or money order should be made out to the Superintendent of Documents.
                         GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to
                         a single address are discounted 25 percent. Orders should be sent to:

                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548

                         To order by Phone:    Voice:     (202) 512-6000
                                               TDD:       (202) 512-2537
                                               Fax:       (202) 512-6061


                         Contact:
To Report Fraud,
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470


                         Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800
Public Affairs           U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548